Search Details Summary

Owned by David Ruel (Unlicensed)
Last updated: Feb 18, 2019
6 min read



The Search Detail Summary page gives you complete details on a selected search. You will see the status of your search including the matched files and collected files along with the search criteria, file-level results along with details of each endpoint requested.

Details of each grid area are listed below.


  1. File category visualization by extension groups
  2. Search Details
  3. File actions (Collect - Quarantine - Tag - Delete - Export CSV)/ Search Control (Stop Search - Find Parent Emails)
  4. Search Results
  5. File level information 
  6. Endpoint details and status 

Stopping a Search

You may suspend a search while endpoints are returning results or while they are queued. To suspend a search follow the steps below:

  1. While a search is running, from the Search Results page, select File Actions > Stop Search
  2. All endpoints which have not returned results will show a "Suspended" status in the Endpoints grid
  3. All endpoints in the process of returning results will immediately stop and no further results will be returned to the grid.
  4. The Overview card in the upper left corner will display "Complete (Suspended)" as its status.

NOTE: You cannot restart a search that has been stopped! You will have to create a new search in order to begin the process again.

Endpoint Status

Status

Once a search is executed, you will be able to view the status of a search on the search results action card in the upper left corner. Using the refresh button located throughout the interface will refresh the results of the page as files are brought back to the results grid. The status grid contains the following elements:

  • Matched Files - Displays total file count of executed search
  • Matched (MB) - Displays total megabyte size of executed search
  • Status - Consists of three states: Queued, Searching, Tagging, Done
    • Queued indicates that endpoints are currently waiting to pickup a command to search
    • Searching indicates that endpoints are actively searching and returning results
    • Done indicates that all endpoints have completed their searches



Search Details Action Card



Search Criteria

The criteria by which a search was executed can be accessed by clicking on the "Show Query" link located next to the Search Details. The original query criteria will be displayed showing the endpoints and all of the groups used to create the search.


Search Details Criteria


Search Results Grid

The results grid displays file-level information from your search. It includes the following fields:

  • File Name - File name as shown on the endpoint including the file extension
  • Risk Score - The risk score calculated to a specific file
  • Tags- Auto classification of PII and other tags assigned automatically by Heureka's classification engine.
  • Keyword Match - If using keywords Interrogate will display a snippet of text along with the first word highlighted in yellow
  • Deleted - If a file has been deleted from the endpoint, a deleted flag will be displayed
  • Computer Name - The name of the endpoint computer
  • File Owner - File owner is automatically identified by the Interrogate endpoint service when indexing files
  • Extension - A file's extension (a file is NOT required to have an extension)
  • Local File Path - The path to the local file on the endpoint
  • SHA1 Hash - A file's hash value. Hash values are automatically calculated by the endpoint service during indexing
  • File Size - The file's size in megabytes
  • Date Created - The date and time a file has been created on the file system
  • Date Modified - The date and time of the last modification to the file on the file system
  • Date Accessed - The date and time of the last accessed date on the file system
  • Email Date Sent - Date and time the email was sent. MacOS-based files with OLK extensions or files that may have been previously indexed (prior to version 2.95) may not show the Date Sent information.
  • Email Date Received - Date and time the email was received. (Email Date Received is currently only valid for Microsoft generated email in .msg, .pst or .ost format). EML, EMLX and OLK13/14/15msgsource files will not have Date Received present. Email indexed prior to version 2.95 may not show the Date Received information.
  • Doc Date - Document dates displayed are as follows:


Document TypeDisplay Date
EmailDate Sent or Date Last Modified
File (Loose File) 1st MethodDate Last Modified
File (Loose File) 2nd Method

Date Created

File (Loose File) 3rd MethodField Left Empty

Search Details Results Window



File Path Filtering

When searching for specific file paths, you can use the file path filter to filter to specific path information. It is important to realize whether or not your endpoint is running MacOS or Linux versus Windows as the filtering technique will be slightly different. 

Windows File Path Filter

A windows file path use a backslash (\) as part of the path. When using the File Path Grid filter, you must double-up each backslash (\\) in order for the filter to work correctly. 

Example: I want to filter to only those files in a specific folder on my Windows desktop called "Documents".

Files in Heureka's Search Details Grid show a folder path of: C:\Users\david\Desktop\Documents

Input the following: File Path Filter > Filter > Show items with value that contains: C:\\Users\\david\\Desktop\\Documents > Filter

Once selected, the system will filter your results grid to only those files contained within the Documents folder.


MacOs and Linux 

The Mac and Linux file path uses a forward slash "/" in the Search Results Grid. When using the file path filter it is not necessary to double the forward slashes. You may simply use a single forward slash to indicate the file path you want to narrow your search results to.

Example: I want to filter to only those files in a specific folder on my Mac or Linux desktop called "Documents"

Files in Heureka's Search Details Grid show a folder path of C:/Users/david/Desktop/Documents

Input the following: File Path Filter > Filter > Show items with value that contains: C:/Users/david/Desktop/Documents

Once selected, the system will filter your results grid to only those files contained within the Documents folder.



Filtering on Windows File Path (note the double backslash)



Filtering on a Mac or Linux File Path (note the single forward slash)

File Actions

There are four main actions that can be taken at the file level. First, you may collect files to a centralized location. Second, you may quarantine files which consists of a centralized collection followed by the removal of the original and a creation of a stub file on the endpoint. Third, you may delete files at the endpoint level. Finally, you may optionally edit tagging information for a single file or a group of selected files. Please click the desired links below for more information.



Collect

Quarantine

Delete

Edit Tags